Bug 2222583

Summary: Remote resource referenced from datastream is missing https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2
Product: Red Hat Enterprise Linux 8 Reporter: Welterlen Benoit <bwelterl>
Component: scap-security-guideAssignee: Vojtech Polasek <vpolasek>
Status: ON_QA --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 8.8CC: ggasparb, jcerny, jjaburek, matyc, mhaicman, mlysonek, qguo, rmetrich, sujagtap, wsato
Target Milestone: rcKeywords: AutomationTriaged, AutoVerified, Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
.Red Hat CVE feeds have been moved The version 1 of Red Hat CVE feeds at https://access.redhat.com/security/data/oval/ has been sunset and replaced by the version 2 of the CVE feeds located at https://access.redhat.com/security/data/oval/v2/. Consequently, the links in SCAP source data streams provided by the `scap-security-guide` package have been updated to link the new version of the Red Hat CVE feeds.
 Story Points: ---
Clone Of:
: 2222984 2228452 2228453 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228452, 2228453, 2222984    

Description Welterlen Benoit 2023-07-13 07:53:08 UTC 
Description of problem:
When trying to scan with ssg-rhel8-ds profile, the remote resource is not available anymore on Red Hat web site:

~~~
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 2>&1 | grep 'WARNING: Skipping'
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream
~~~

 wget https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2
--2023-07-12 00:02:10--  https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2
Resolving access.redhat.com (access.redhat.com)... 96.17.150.153, 96.17.150.168, 2600:140f:6::172c:a50, ...
Connecting to access.redhat.com (access.redhat.com)|96.17.150.153|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-07-12 00:02:11 ERROR 404: Not Found.

Only V2 version are available in https://access.redhat.com/security/data/oval

Why the old versions have been removed, even if they are not updated anymore, they are needed for previous packages.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.66-2.el8_7.noarch
RHEL8

How reproducible:
always

Steps to Reproduce:
1. yum install scap-security-guide.noarch
2. run oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
3.

Actual results:
Profile not updated

Expected results:
Remote ressource available on Red Hat web site

Additional info:
Comment 1 Vojtech Polasek 2023-07-17 13:54:18 UTC 
Fixed upstream: https://github.com/ComplianceAsCode/content/pull/10842